CVE-2022-20132 in Android
Summary
by MITRE • 06/15/2022
In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2022-20132 represents a critical out-of-bounds read flaw within the Linux kernel's USB HID subsystem, specifically affecting the lg_probe function and related components in hid-lg.c. This issue resides in the Android kernel implementation and demonstrates a fundamental failure in input validation mechanisms that process data from external USB HID devices. The flaw occurs during the device probing phase when the kernel attempts to enumerate and initialize USB HID devices, creating a potential attack vector through physical device insertion without requiring any elevated privileges or user interaction for exploitation.
The technical root cause of this vulnerability stems from inadequate bounds checking in the USB HID device initialization code where the kernel fails to properly validate the size and structure of incoming data from malicious USB HID devices. When a device is connected, the lg_probe function processes device descriptors and configuration data without sufficient input sanitization, allowing an attacker to craft specially formatted USB HID device responses that trigger memory access violations. This improper input validation directly maps to CWE-129, which describes insufficient validation of length of input buffers, and CWE-787, which addresses out-of-bounds write or read vulnerabilities. The vulnerability exists at the kernel level within the USB Human Interface Device driver, making it particularly dangerous as it operates in kernel space with elevated privileges.
The operational impact of CVE-2022-20132 extends beyond simple information disclosure, as it provides a potential pathway for attackers to extract sensitive kernel memory contents through the out-of-bounds read condition. This information disclosure could expose kernel data structures, memory addresses, or other sensitive information that might aid in subsequent exploitation attempts. Since the vulnerability does not require user interaction or additional execution privileges, any device connected to an affected Android system could potentially trigger the flaw, making it particularly concerning for mobile devices where physical access to USB ports is common. The attack vector is straightforward - an attacker simply needs to connect a malicious USB HID device to a vulnerable system, which aligns with ATT&CK technique T1059.001 for executing malicious code through USB device connections.
Mitigation strategies for this vulnerability should focus on implementing proper bounds checking and input validation throughout the USB HID device processing pipeline. System administrators and device manufacturers should prioritize applying kernel updates that address this specific flaw, as the upstream kernel has already provided fixes for this issue. Additionally, implementing USB device whitelisting mechanisms and restricting USB HID device capabilities at the system level can help reduce the attack surface. The vulnerability highlights the importance of robust input validation in kernel drivers and demonstrates why security-conscious development practices are essential for protecting against such low-privilege exploitation vectors. Organizations should also consider deploying runtime monitoring solutions that can detect anomalous memory access patterns that might indicate exploitation attempts.